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Abstract 

Extraspecial groups form a remarkable subclass of p-groups. They are also present in quantum 
information theory, in particular in quantum error correction. We give here a polynomial time quantum 
algorithm for finding hidden subgroups in extraspecial groups. Our approach is quite different from the 
recent algorithms presented in [17] and [2] for the Heisenberg group, the extraspecial p-group of size 
p 3 and exponent p. Exploiting certain nice automorphisms of the extraspecial groups we define specific 



group actions which are used to reduce the problem to hidden subgroup instances in abelian groups that 
' can be dealt with directly. 

in ' 
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(N 1 1 Introduction 

The most important challenge of quantum computing is to find quantum algorithms that achieve exponential 
speedup over the best known classical solutions. In this respect, the most extensively studied problem is the 



paradigmatic hidden subgroup problem. Stated in a group theoretical setting, in HSP(G, /) we are given 
explicitely a finite group G and we also have at our disposal a function / that can be queried via an oracle, 
and which maps G into a finite set. We are promised that for some subgroup H, / is constant on each 
left coset of H and distinct on different left cosets. We say that / hides the subgroup H . The task is to 
determine the hidden subgroup H . We measure the time complexity of an algorithm by the overall running 
time when a query counts as one computational step. An algorithm is called efficient if its time complexity 
is polynomial in the logarithm of the order of G. 

We don't know any classical algorithm of polynomial query complexity for the HSP, even in the restricted 
case of abelian groups. In this respect, probably the most important result of quantum computing is that 
the HSP can be solved efficiently for abelian groups by quantum algorithms. We will call this solution, for 
which one can find an excellent description for example in Mosca's thesis |15) . the standard algorithm for 
HSP. The main quantum tool used in the standard algorithm is Fourier sampling based on the approximate 
quantum Fourier transform that can be efficiently implemented by a quantum algorithm in case of abelian 
groups [11] . Among the important special cases of this general solution one can mention Simon's xor-mask 
finding [21], Shor's factorization and discrete logarithm finding algorithms [19] . and Kitaev's algorithm [11] 
for the abelian stabilizer problem. 

Since the realization of the importance of the abelian HSP, intensive efforts have been made to solve 
the hidden subgroup problem also in finite non-abelian groups. The intrinsic mathematical interest of 
this challenge is increased by the fact that several famous classical algorithmic problems can be cast in 
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this framework, like for example the graph isomorphism problem. The successful efforts for solving the 
problem can roughly be divided into two categories. The standard algorithm has been extended to some 
non-abelian groups by Rotteler and Beth [18 , Hallgren, Russell and Ta-Shma [B], Grigni, Schulman, Vazirani 
and Vazirani [7] and Moore, Rockmore, Russell and Schulman [14) using efficient implementations of the 
quantum Fourier transform over these groups. In a different approach, Ivanyos, Magniez and Santha [10] 
and Friedl, Ivanyos, Magniez, Santha and Sen [5] have efficiently reduced the HSP in some non-abelian 
groups to HSP instances in abelian groups using classical and quantum group theoretical tools, but not the 
non-abelian Fourier transform. 

All groups where the HSP has been efficiently solved are in some sense "close" to abelian groups. Ex- 
traspecial groups, in which we present here an efficient quantum algorithm, are no exception in this respect: 
they have the property that all their proper factor groups are abelian. They form a subclass of p-groups, 
where p is a prime number, and play an important role in the theory of this family of groups. Extensive 
treatment of extraspecial groups can be found for example in the books of Huppert [9] and Aschbacher pQ . 

Extraspecial 2-groups are heavily present in the theory of quantum error correction. They provide a 
bridge between quantum error correcting codes and binary orthogonal geometry [3]. They form the real 
subgroup of the Pauli group 4J which plays a crucial role in the theory of stabilizer codes [5] . For general p, 
extraspecial p-groups give rise to the simplest examples of Clifford codes, see [T2"] . 

Efficient solutions for the HSP have already been given in several specific extraspecial groups. Extraspe- 
cial p-groups are of order p 2k+1 for some integer k. For odd p, they are of exponent p or p 2 , and extraspecial 
2-groups are of exponent 4. The class of groups for which Ivanyos, Magniez and Santha [TU] provide a 
solution include extraspecial p-groups when p is a fixed constant and the input size grows with k. When p is 
fixed, the smallest extraspecial groups are of size p 3 . Up to isomorphism there are two extraspecial groups 
of order p 3 . Recently two independent works dealt with quantum algorithms for the HSP in the group of 
exponent p, the Heisenberg group. Radhakrishnan, Rotteler and Sen [17] have followed the standard algo- 
rithm with non-abelian Fourier transform, and proved that strong Fourier sampling with a random basis 
leads to a query efficient quantum solution. In a subsequent work, Bacon, Childs and van Dam [2] devised 
an efficient quantum algorithm, where a state estimation technique, called the pretty good measurement, is 
used to reduce the HSP to some matrix sum problem that they could solve classically. 

In this paper we provide an efficient quantum algorithm for the HSP in any extraspecial group. Our main 
contribution is an efficient algorithm in extraspecial p-groups of exponent p when p grows with the input 
size. A simplified version of this algorithm gives another solution for the groups of constant exponent. The 
remaining case, groups of exponent p 2 when p is large is easily reducible to the case of groups of exponent p. 

Our approach for groups of exponent p is completely different from the above two solutions for the 
Heisenberg group. In our solution only abelian Fourier transforms and von Neumann measurements are 
used. In fact, our algorithm is a series of reductions, where we repeatedly use the standard algorithm for 
abelian groups, or a slight extension of it. In this extension, instead of a classical hiding functions we have an 
efficient quantum hiding procedure at our disposal. This procedure outputs a quantum state for every group 
element so that the states corresponding to group elements coming from the same left coset of the hidden 
subgroup are identical, whereas the states corresponding to group elements from different left cosets are 
orthogonal. Repeated invocations of the procedure might yield different states for the same group element. 

At the end of our reductions we are faced with the problem of creating an efficient hiding procedure in 
the above sense for the subgroup HG' of G, where G is an extraspecial p-group of exponent p when p is 
large, G' — {z l : < i < p — 1} is its commutator, and H is the hidden subgroup. It is easy to see, 
that if we could create the coset state \aHG') for some a £ G, then the group action multiplication from 
the right, which on a given group element g would output \aHG' ■ g), is a hiding procedure. Unfortunately, 
we can create these states efficiently only when p is constant. In the general case, we can create efficiently 
only the states \aHG' u ) for a r andom < u < p - 1, where \G' U ) = J= £ l£Zp uj- ui \z 1 ). Our main technical 
contribution is to show that several (in fact four) copies of these states can be combined together so that 
the disturbing phases cancel each other. To achieve this goal we exploit certain nice automorphisms of the 
group to define more sophisticated group actions that can be used for our purposes. 

The structure of the paper is quite simple. After a discussion on the extension of the standard algorithm 
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and a basic description of extraspecial groups in Section [21 our reduction steps are presented in Section [3] 
The summary of these reductions is stated in Theorem [TJ An efficient hiding procedure for HG' is sufficient 
to solve the HSP in an extraspecial group G. In Section 2] we establish our main result in Theorem O the 
existence of an efficient solution for the HSP in extraspecial groups. The proof is given according to the 
three cases discussed above. The most important case of groups of exponent p when p is large is dealt with 
in Section [4.21 where in Theorem [3] we provide the hiding procedure for HG' . 



2 Preliminaries 

2.1 Extensions of the standard algorithm for the abelian HSP 

We will use standard notions of quantum computing for which one can consult for example [13] . For a finite 

set X, we denote by \X) the uniform superposition 1 J2xex\ x ) over For a superposition we 

v \ x I 



denote by supp(|\£)) the support of |\&), that is the set of basis elements with non-zero amplitude. 

The general solution for the abelian HSP consists essentially of Fourier sampling of the hiding function /. 
More specifically, it involves the creation of the superposition X^ggIs^I/G?)) ano - the Fourier transform over 
G. Clearly, for the former part it is essential to have access to a hiding function. In fact, this requirement 
can be relaxed in some sense, and in this paper we will use such a relaxation. A relaxation was already used 
by Ivanyos et al. [10) who extended the notion of the hiding function to quantum functions. More precisely, 
for a finite set X, and a quantum function / : G — > C x , we say that / hides the subgroup H of G if | /(<?)) 
is a unit vector for every g G G, and / is constant on the left cosets of H, and maps elements from different 
cosets into orthogonal states. The simple fact is proven in Lemma 1 of |10) that in the standard solution of 
HSP for abelian groups, one can just as well use a quantum hiding function. 

The standard algorithms for the abelian HSP in fact repeats polynomially many times the Fourier 
sampling involving the same (classical or quantum) hiding function. In fact, in each iteration a random 
element is obtained from the subgroup orthogonal to H . Our extension is based on the observation, that for 
the sampling, one doesn't have to use the same hiding function in each iteration, different hiding functions 
will do just as well the game. For the sake of completeness we formalize this here and state the exact 
conditions that will be used in our case. 

We say that a set of vectors {\^ g ) : g S G} from some Hilbert space TC is a hiding set for the subgroup 
H of G if 



• \^!g) is a unit vector for every g G G, 



• if g and g' are in the same left coset of H then \9 g ) = |^ s '), 

• if g and g' are in different left cosets of H then \ty g ) and are orthogonal. 

A quantum procedure is hiding the subgroup H of G if for every g £ G, on input \g)\0) it outputs |<7)|\J , a ) 
where {I'J/g) : g G G} is a hiding set for H. Let us underline that we don't require from a quantum hiding 
procedure to output the same hiding set in different calls. The following fact recasts the existence of the 
standard algorithm for the abelian HSP in the context of hiding sets. 

Fact 1. Let G be a finite abelian group. If there exists an efficient quantum procedure which hides the 
subgroup H of G then there is an efficient quantum algorithm for finding H . 

Proof. It is immediate from the proof of Lemma 1 in [lOj : indeed, the exact property of the quantum hiding 
function / which is used there is that {\g}\f{g)} ■ g € G} forms a hiding set for H. □ □ 



2.2 Extraspecial groups 

Let G be a finite group. For two elements gi and g 2 of G, we usually denote their product by gig 2 - If we 
conceive group multiplication from the right as a group action of G on itself, we will use the notation g\ ■ g 2 
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for <?ig2- For a subset X of G, we will denote by (X) the subgroup generated by X . The derived subgroup 
G' of G is defined as ({x~ 1 y~ 1 xy : x,y £ G}), and its center Z(G) as {z e G : gz = zg for all g e G}. 
The Frattini subgroup $(G) is the intersection of all maximal subgroups of G. 

For an integer n, wc denote by Z„ the group of integers modulo n, and for a prime number p, we denote 
by Z* the multiplicative group of integers relatively prime with p. A p-group is a finite group whose order 
is a power of p. A p-group G is extraspecial if G' = Z(G) — 3>(G), and its center is cyclic of prime order p. 

If G is an extraspecial p-group then |G| = p 2k+1 for some integer k. The elements of G can be encoded 
by binary strings of length 0(k logp), and an efficient algorithm on that input has to be polynomial in both 
k and log p. 

The smallest non-abelian extraspecial groups are of order p 3 . For p = 2, we have, up to isomorphism, 
two extraspecial 2-groups of order 8. These are the quaternion group Q, and the dihedral group D4, the 
symmetry group of the square in two dimensions. The exponent of both of these groups is p 2 = 4. 

For p > 2, up to isomorphism we have again two extraspecial p-groups of order p 3 . The first one is the 
Hciscnberg group H p , which is the group of upper triangular 3x3 matrices over the field F p whose diagonal 
contains everywhere 1. The exponent of H p is p. The other one is A p , the group of applications 1 1— » at + b 
from Z p 2 to Z p 2, where a = 1 modulo p and b G Z p 2. The exponent of A p is p 2 . 

We give now via relations equivalent definitions of the extraspecial p-groups of order p 3 . These definitions 
will be useful for the arguments we will develop in our algorithms. To emphasize the similarities between 
these groups, we will take three generator elements x,y,z for each of them. The element z will always 
generate the center of the group. Here are the definitions via relations: 

Q = (x 2 = y 2 = [x,y] = z, z 2 = 1), 

At = (x 2 = y 2 = z 2 = 1, [x,y]=z, [x, z] = [y, z] = 1), 
H p = (x p = y p = Z P = l, [x, y] = z, [x, z] = [y, z] = l), 

A P = (xp 2 =y p = l, [x, y] = z = x p , [y, z] = l). 

From these definitions it is clear that every element in an extraspecial group of order p 3 has a unique 
representation of the form x % y^z l where i, j,£ e Z p . 

Extraspecial p-groups of order p 2k+1 , for k > 1, can be obtained as the central product of k extraspe- 
cial p-groups of order p 3 . If G\,. .. ,Gk are extraspecial p-groups of order p 3 then their central product 
G\ Y . . . Y Gfe is the factor group 

Gi x . . . x Gk mod z\ = ■ ■ ■ = Zk, 

where Zi is an arbitrary generator of Z{Gi) for i = 1, . . . , k. 

Since D4YD4 = QYQ, up to isomorphism the unique extraspecial 2-groups of order 2 2fe+1 are 
Y^ =1 £>4 and (Y-^ 1 ^) YQ. All of these groups are of exponent p 2 = 4. When p > 2, we have 
H p Y A p = A p Y A p . Therefore, up to isomorphism the unique extraspecial p-groups of order p 2k+1 are 
Y^ =1 Hp and (Y^Lj 1 H p )Y A p . The former groups are of exponent p, the latter ones are of exponent p 2 . 

It follows from the above that any extraspecial group of order p 2fc+1 can be generated by 2k + 1 elements 
xi , y\ , . . . , Xk , yk and z. Any element of the group has a unique representation of the form x\ x y^ ■ ■ • x\ h y k k z i , 
where h,i[, ■ ■ ■ ,ik,i'k,£ € Z p . Also, G' = Z(G) = {z e \£ e Z p }. 

3 Reduction lemmas 

Our results leading to our main technical contribution can be the best described via a series of reduction 
lemmas. 

Lemma 1. Let G be an extraspecial p- group, and let us given an oracle f which hides the subgroup H ofG. 
Then finding H is efficiently reducible to find HG' . 
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Proof. Since G' is a cyclic group of prime order, either G' C if or G' n if = {1}. It is simple to decide which 
one of this cases holds by checking if/(z) = /(l). If G' C if then if = HG' , and therefore the algorithm 
which finds HG' yields immediatly if. 

If G' f)H = {1} then we claim that HG' is abelian. To see this, it is sufficient to show that H is abelian, 
since G' is the center of G. Let hi and h^ be two elements of H. Then there exists t € Z p such that 
/lift. 2 = h,2h\z l . This implies that 2 is in G' n if and therefore z e = 1. 

The restriction of the hiding function / to the abelian subgroup HG' of G hides H. Therefore the 
standard algorithm for solving the HSP in abelian groups applied to HG' with oracle / yields H. □ □ 

We will show that finding HG' can be efficiently reduced to the hidden subgroup problem in an abelian 
group. For every element g = x^y^ 1 . . .x^y^z 1 of G, we denote by ~g the element x^y-^ 1 . . .x^y^. We 
define now the group G whose base set is {g : g G G}. Observe that this set of elements does not form a 
subgroup in G. To make G a group, its law is defined by gl * 52 = 5iff2 for all ~g~\ and 52 in G. It is easy to 
check that * is well defined, and is indeed a group multiplication. The group G is isomorphic to G/G' and 
therefore is abelian. For our purposes a nice way to think about G as a representation of G/G' with unique 
encoding. In fact, it is also easy to check that G is isomorphic to 1^. Finally let us observe that HG' n G 
is a subgroup of (G, *) since HG' /G' is a subgroup of G/G', 

Lemma 2. Let G be an extraspecial p- group, and let us given an oracle f which hides the subgroup H of G. 
Then finding HG' is efficiently reducible to find HG' C\G in G . 

Proof. Since HG' = (HG' n G)G', a generator set of HG' in G is composed of a generator set of HG' n G 
in G together with z. □ □ 

The group G is abelian but we don't have a hiding function for HG' DG. The main technical result of our 
paper is that using the hiding function / for H in G, we will be able to implement an efficient quantum hiding 
procedure for HG' in G. Our last reduction lemma just states that this is sufficient for finding HG' D G. 

Lemma 3. Let G be an extraspecial p-group, and let us given an oracle f which hides the subgroup H of 
G. If we have an efficient quantum procedure (using f) which hides HG' in G then we can find efficiently 
HG' ClGinG. 

Proof. The procedure which hides HG' in G hides also HG' n G in G. Since G is abelian, Fact [T] implies 
that we can find efficiently HG' n G. □ □ 

Our first theorem is the consequence of these three lemmas. It says that if in an extraspecial group we 
succeed to transform the oracle hiding the subgroup H into a quantum procedure hiding HG' then we can 
determine H . This reduction is the basis of our algorithm. 

Theorem 1. Let G be an extraspecial p-group, and let us given an oracle f which hides the subgroup H of 
G. If we have an efficient quantum procedure (using f ) which hides HG' in G then HSP(G, /) can be solved 
efficiently. 

Observe that if G' C H then HG' = H, and therefore the following corollary is immediate. 

Corollary 1. Let G be an extraspecial p-group, and let us given an oracle f which hides the subgroup H of 
G. If G' C H then we can solve efficiently HSP(G, /). 

4 The algorithm 

We now describe the quantum algorithm which solves the HSP in extraspecial groups. In fact, we will deal 
separately with three cases: groups of constant exponent, groups of exponent p when p is large, and groups 
of exponent p 2 when p is large. The case of constant exponent is actually not new, it follows from a general 
result in [10]. Nevertheless, for the sake of completeness we show how a simplified version of the algorithm 
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for the second case works here. The algorithm for extraspecial groups of exponent p that goes to infinity is 
our main result. Finally, the case of groups of exponent p 2 can be easily reduced to the case of groups of 
exponent p. These results are summarized in our main theorem. 

Theorem 2. Let G be an extraspecial p-group, and let us given an oracle f which hides the subgroup H of 
G. Then there is an efficient quantum procedure which finds H . 

4.1 Groups of constant exponent 

In Theorem 9 of |10j it is proven that in general the HSP can be solved by a quantum algorithm in polynomial 
time in the size of the input and the cardinality of G' . This includes the case of extraspecial groups of constant 
exponent. Nonetheless, for the sake of completeness we describe here an efficient procedure, similar in spirit 
to the one used for the next case but much simpler. 

First remark that for every a <E G, the set {\aHG' ■ g) : g € G} is hiding for HG' in G. The efficient 
hiding procedure for HG' computes, for some a e G, the superposition -±= J2 u ez p \ u ) \ a -HG' u ) which by 
Lemma 0] of Section 14.21 can be done efficiently. Then the first register is measured. This is repeated until 
the result of the observation is 0. Since p is constant, after a constant number of iteration the superposition 
\Q)\aHG' Q ) = \0)\aHG') is created and finally \aHG' ■ g) is computed. 

Observe that this simplified approach can not work for large exponents since p, the expected number of 
iterations, is not polynomial in the size of the input. 

4.2 Groups of exponent p when p is large 

For every u £ Z p , let \G' U ) = -±= Y, t<£ z p u~ ul \z l ) and observe that \G' U ■ z) = uj u \G' u ). 

Lemma 4. There is an efficient quantum procedure which creates — ^ X^ugz \ u )\ a -HG' u ) where a is a random 
element from G. 

Proof. We start with |0) |0) |0). Since we have access to the hiding function /, we can create the superposition 
. 2 oPG |0) \g) \f(g))- Observing and discharging the third register we get |0) \aH) for a random element a. 

Applying the Fourier transform over Z p to the first register gives \Z p )\aH). Multiplying the second register 
by z~ l when i is the content of the first one results in X^:ez \—i)\aHz' 1 ). A final Fourier transform in the 
first register creates the required superposition. □ □ 

For j = 1, . . . ,p — 1, we define the automorphisms cf>j of G mapping Xi to xj, yi to y{ and z to z J when 
i 6 {1, . . . , k}. These maps (defined on generators) extend in fact to automorphisms of G since the elements 
x\, . . . xj,, y^., z 3 generate the group G and satisfy the defining relations. 

In our next lemma we claim that the states \aHG' u ) are eigenvectors of the group action of multiplication 
from the right by <pj(g), whenever g is from HG 1 . Moreover, the corresponding eigenvalues are some powers 
of the root of the unity, the exponent does not depend on a, and the dependence on u and j is relatively 
simple. 

Lemma 5. We have 

1. Mh £H,3£e Z p ,Va e G,Vu € Z P ,V? € Z;, \aHG' u ■ 4> 3 {h)) = uj u (i-i 2 ^\aHG' u ), 

2. Va £ G,Vu £ Z p ,Vj e Z;, \aHG' u ■ <P {z)) = Lo u ^\aHG' u ). 

Proof. To begin with let's remark that for h £ H, we have \aHG' u ■ h) — \aHG' u ) and that \aHG' u ■ z) — 
tu u \aHG' u ). 

To prove the first part, let h be an element of H. Then </>j(h) = hPz 1 where t depends on h and j. We 
will show that t = (j — j 2 )£ where I depends only on h. This will imply the claim. 
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Let jo be a fixed primitive element of Z*. Then <^ (h) = h?° z s , for some s € Z p . We set = s(jo — Jo) 1 > 
and k = hz e . Then io (fc) = h jo z i{ J°- j °h ij ° = A>. Therefore <^(fc) = fc J and ^(/i) = ^{k)^- 1 ) = 
fij z tU-j ) The proof of the second part is immediate. □ □ 

The principal idea now is to take several copies of the states \aiHG' u .) and choose ji so that the product 
of the corresponding eigenvalues becomes the unity. Therefore the actions 4>j(g), when g is from HG', will 
not modify the combined state. It turns out that we can achieve this with four copies. 

For a = (ai,a 2 ,a 3 ,a 4 ) £ G 4 , u = (ui, u 2 , u 3 , n 4 ) £ Z 4 , j = {ji, j 2 , j 3 , ji) € (Z*) 4 and g £ G, we define 
the quantum state in C "* by 

|^) = |oi^ ttI ■ <p jl (9),a 2 HG , a2 ■ ct> h {g)^HG' U3 ■ cf>j 3 (g),ci4,HG' Ui ■ («?)>. 

Our purpose is to find an efficient procedure to generate triples (a,u,j) such that for every g £ HG' we 
have |*g'' u ' 3 ') = \a\HG' Ul , a 2 HG' U2 , a 3 HG' U3 , aiHG' Ui ) . We call such triples appropriate. The reason to look 
for appropriate triples is that they lead to hiding sets for HG' in G as stated in the next lemma. 

Lemma 6. If (a,u,j) is an appropriate triple then {\^[g' u ' J ) : g € G} is hiding for HG' in G. 

Proof. To see this, first observe that HG' is a normal subgroup of G. If gi and 52 are in different cosets of 
HG' in G then for every j £ Z*, the elements cf>j (gi) and </>.,■ (52) are in different cosets of HG' in G since </>j is 
an automorphism of G. Also, for every a £ G and for every u £ Z p we have supp(|ai/G^)) = supp(|ai/G')), 
and therefore supp(|ai?G^ ■ <fij(b))) and supp(\aHG' u ■ 4>j(b ))) are included in different cosets and are disjoint. 
Thus for every a £ G 4 , u £ Z 4 and ~j £ (Z;) 4 , the states and J ) are orthogonal. 

If <?i and g 2 are in the same coset of HG' then g x = gg 2 for some g £ HG' , and (pi) = <f>j i {g)4>j i (g 2 ). 
Thus = I = |*ff J ). □ □ 

Let us now address the question of existence of appropriate triples and efficient ways to generate them. 
Let (a,u,j) be an arbitrary element of G 4 x Z 4 x (Z*) 4 , and let g be an element of HG' . Then g = hz l for 
some h £ H and t £ Z p , and 4>ji(g) = ( t ) 3i{^ l ) ( t ) 3i{ zt ) f° r * — 1, ■ ■ ■ ,4. By Lemma [5] there exists £ such that 
\aiHG' u . ■ (pj(h)) = Lo u '^'^ e \ ai HG' Uz ) and \a z HG' Ut ■ <£,-(«*)) = w^lai-ffG^}, and therefore 

|*»^) = w 5:f =1 (« 4 a.-i?)<+»«?*)| 0lHG ' tti , a2iJG ^ 5 a3jffG5i3 ; fl4 iJGL 4 ) • 
We say that u € Z 4 is good if the following system of quadratic equations has a nonzero solution: 

[Etr^il =0, u 

and we call a solution j a witness of u being good. It should be clear that for every u, if u is good and j 
witnesses that then (a, u, j) is an appropriate triple. 

The next lemma states that a random u is good with constant probability, and that in this case one can 
find efficiently j witnessing that. 

Lemma 7. For every a £ G 4 , we have 

Pru £ Z 4 u is good > (p - 9)/2p. 

Moreover, when u is good a witness j can be found efficiently. 
Proof. Let us simplify system (1) to the equivalent system 

= ° (2) 
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To solve (2), we take ja = 1 and j'4 = —1, and we set v = 1*3 + 1*4 and w = U3 — U4. We will show that for 
random (ui,U2,v,w) € Z 4 , the reduced system (3) has a solution {31,32) S (^p 2 with probability at least 
(p — 9)/2p, and that the solution is easy to find: 

uij 2 + U2J2 = -v ^ 
Uljl + u 2 j 2 = -w. 

With probability at least 1 — Zp we have u\ ^ 0, U2 7^ 0, u\ + u 2 7^ 0. In that case we can substitute 
J2 = — in the first equation and get in jx the quadratic equation {uiU2+u\)ji+2u\wj\ + {w 2 +vu 2 ) = 0. 

It is a non degenerate quadratic equation whose discriminant D = —Au\U2{w 2 + (u 2 + u%)v) is uniformly 
distributed in Z p since it is linear in v. Therefore D is a quadratic residue with probability (p — l)/2p, and 
we can efficiently compute a square root of D modulo p (see, for example, subsection 13.3.1 of [20). We also 
have to ensure that 32 7^ 0. If 32 is zero, then w 2 = —vu±, which happens with probability 1/p. Therefore 
the probability of finding a solution {31,32) € (Z*) 2 is at least (p — l)/2p — 4/p. □ □ 

Theorem 3. Let G be an extraspecial p- group of exponent p, where p grows with the input size, and let us 
given an oracle f which hides the subgroup H of G. Then there is an efficient quantum procedure which 
hides HG' in G. 

Proof. We describe the efficient hiding procedure. It computes, for some a € G 4 , the superposition 

1 4 

-2® E \ui)\aiHG' Ui ), 

which by Lemma |4] can be done efficiently, and then it measures the registers for the u,-. This is repeated 
until a good u £ Z 4 is measured. By Lemma [3 this requires a constant expected number of iterations. Also, 
when a good u is measured, it finds efficiently a solution j € (Z*) 4 for system (1). Such a triple (a,u,j) 
is appropriate, and therefore by Lemma[|5] {|\E , °' UJ ) : g S G} is hiding for HG' in G. Using the additional 
input \g), the procedure finally computes j^'"'-'). □ □ 

The proof of Theorem [2] in that case follows from Theorem Q] and Theorem [3l 
4.3 Groups of exponent p 2 when p is large 

Here we deal with the group G = A P Y (Y^i H p ) , where we start with a function / hiding some subgroup 
H. As in Lemma [1] we will distinguish the cases when G' C H and when G' n H = {e}. The first case is 
already taken care of by Corollary [1] 

If G' ("I H = {e} then contains only elements whose order is at most p. Indeed an element of or- 
der p 2 cannot be in H since the p^ power of such an element is in G' . Therefore H is a subgroup of 
K = (t/i, X2, J/2) • • • j Xk, Dki %)i where x\ is the unique generator of order p 2 of G. The subgroup K is also 
(isomorphic to) a subgroup of Y^ =1 H p . We claim that we can extend the restriction of / to K into a function 
F defined on the whole group H p that also hides H. Such an extension can be defined for example 
as F{x l iy J i . . . x^y^z 1 ) = (ii, f(y 3 i . . . x 1 ^ y^ z e )) , and it is easy to see that it is indeed a hiding function. 
Therefore the problem is reduced to the HSP in extraspecial groups of exponent p. 

5 Concluding remarks 

The main technical contribution of the present paper is a quantum procedure which hides H G' in an ex- 
trapsecial p-group G where p is a large prime. We remark that it is possible to present the proof of its 
correctness in terms of irreducible representations of G. However, the present approach is shorter and it 
does not make use of concepts of noncommutative representation theory. Finally, our method can in turn be 
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extended to finding hidden subgroups efficiently in arbitrary finite two-step nilpotent groups, that is groups 
G satisfying G' < Z(G). This extension will be the subject of a subsequent paper. 
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